ESIoT is a secure access control and authentication protocol introduced
for Internet of Things (IoT) applications. The core primitive
of ESIoT is an identity-based broadcast encryption scheme called
Secure Identity-Based Broadcast Encryption (SIBBE). SIBBE is designed
to provide secure key distribution among a group of devices
in IoT networks, and enable devices in each group to perform mutual
authentication. The scheme is also designed to hide the structure
of the group from nodes outside of the group. We identify multiple
efficiency and security issues in this primitive that prove SIBBE
unsuitable for IoT applications. First, we show that contrary to what
was claimed, the size of the ciphertexts generated by the encryption
function is not constant but in fact linear in the number of devices
in the group. Additionally, we demonstrate that the encryption and
decryption costs are also linear in the number of nodes in the group,
implying scalability issues thus inefficiency for IoT applications. In
terms of security, we prove that SIBBE does not achieve the desired
property of anonymity and allows an attacker to gain information
on the structure of any given group. Finally, we demonstrate how
SIBBE does not achieve the claimed chosen-ciphertext security. We
however prove its security for a weaker security notion (namely
selective-ID indistinguishability against chosen-plaintext attacks)
under a variant of the GDDHE assumption.